> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/mobile/frida-lab/frida-labs-0x2.md).

# Frida-Labs 0x2

출처: <https://github.com/DERE-ad2001/Frida-Labs/tree/main/Frida%200x2>

***

우선 adb에 해당 문제 어플을 깔아준다.

```
C:\Users\after\Downloads>adb install Challenge_0x2.apk
Performing Streamed Install
Success
```

정상적으로 설치된 것을 확인할 수 있고 jadx로 정적분석을 시도한다.

<figure><img src="https://blog.kakaocdn.net/dna/bA7bdp/dJMcadnoSDo/AAAAAAAAAAAAAAAAAAAAAGTukXaLacv1QfjNo-O3t5Aze275suuTqxn9ng6aCTPm/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=UlKFCZL9%2BdFFsUEm91di4DlBxpo%3D" alt="" height="737" width="1426"><figcaption></figcaption></figure>

MainActivity부터 들어가보면, get\_flag()에서 인자의 값이 4919와 동일하면 해당 함수를 호출할 수 있다. 참고로 이 함수는 textView 설정하는 거 외에 하는 일이 없는 것을 확인할 수 있다.\
(덤으로 AES CBC 모드가 사용된 것을 확인할 수 있으나 여기서 실습하는 개념은 아니다)

```
C:\Users\after\Downloads>frida-ps -Uai
 PID  Name            Identifier
----  --------------  ---------------------------------------
...   ...             ...
   -  Frida 0x2       com.ad2001.frida0x2
```

Frida 프로세스 아이디가 정상적으로 떠있는 걸 확인한다.

```
Java.perform(function() {

    var <class_reference> = Java.use("<package_name>.<class>");
    <class_reference>.<static_method>();

})
```

앞서 frida 0x1에서 위와 같은 템플릿을 봤으니 여기서도 응용한다.

```
Java.perform(function(){
    var a= Java.use("com.ad2001.frida0x2.MainActivity");
    a.get_flag(4919);
})
```

```
C:\Users\after\Downloads>frida -U -f com.ad2001.frida0x2
     ____
    / _  |   Frida 17.5.1 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `com.ad2001.frida0x2`...                               
Spawned `com.ad2001.frida0x2`. Resuming main thread!            
[Android Emulator 5554::com.ad2001.frida0x2 ]-> Java.perform(fu
nction(){var a= Java.use("com.ad2001.frida0x2.MainActivity"); a
.get_flag(4919);})
[Android Emulator 5554::com.ad2001.frida0x2 ]->
```

&#x20;

<figure><img src="https://blog.kakaocdn.net/dna/kFtzF/dJMcaadbUr6/AAAAAAAAAAAAAAAAAAAAAPozisc_iRzxx7Q10WOyeUHXS8txpxLzMssHjDUq9Qbn/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=Wcu2UcAC167YXgtkf%2FPIJllNaiw%3D" alt="" height="583" width="286"><figcaption></figcaption></figure>

플래그가 나오는 것을 확인할 수 있다.&#x20;


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cooku222.kr/security/mobile/frida-lab/frida-labs-0x2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.